appendcols

Description

Appends the fields of the subsearch results with the input search results. External fields of the subsearch that do not start with an underscore character ( _ ) are not combined into the current results. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.

Syntax

appendcols [override= <bool> | <subsearch-options>...] <subsearch>

Required arguments

subsearch

Description: A secondary search added to the main search. See how subsearches work in the Search Manual.

Optional arguments

override

Syntax: override=<bool>

Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. If override=true, the subsearch result value is used.

Default: override=false

subsearch-options

Syntax: maxtime=<int> | maxout=<int> | timeout=<int>

Description: These options control how the subsearch is executed.

Subsearch options

maxtime

Syntax: maxtime=<int>

Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing.

Default: 60

maxout

Syntax: maxout=<int>

Description: The maximum number of result rows to output from the subsearch.

Default: 50000

timeout

Syntax: timeout=<int>

Description: The maximum time, in units of seconds, to wait for subsearch to fully finish.

Default: 60

Examples

Example 1:

Search for "404" events and append the fields in each event to the previous search results.

... | appendcols [search 404]

Example 2:

This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields.

First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".

Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command is used to constrain this subsearch within the range of info_min_time and info_max_time.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.